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A system (10) and de- 
vice (18) for controlling access 
to the hard disk memory por- 
tion of a computer on both 
hardware and software levels, 
with associated administrative 
control. A switching device 
(18) is inserted in the wiring 
between the hard disk controll- 
er and the hard disk (32), re- 
quiring the application of a key 
(34) or other suitable electronic 
or digital access means for op- 
eration of the switch allowing 
an unprotected mode, a mode 
wherein a disk (24) in a pro- 
tected disk drive may be read 
from but not written to; a 
mode wherein a disk (24) in a 
protected disk drive may be 
written to but not read from 
and a mode wherein a disk (24) 
in a disk drive may neither be 
read from nor written to and a 
software program verifying the 
functioning of the hardware and providing means 
for security audit purposes. The key (34) and the 
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to detect an attempted access of a protected drive and maintaining a status log 
software program being administratively controlled. 
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LAYERED PROTECTION SYSTEM 
FOR COMP UTER'S HMtn y vrag 



This application in part discloses and claims 
subject matter disclosed in our earlier filed pending 
application, Serial Number 07/378,549, filed July io 
1989. 

The U.S. Government has rights in this invention 
pursuant to Contract No. DE-AC05-84OR21400 awarded by the 
U.S. Department of Energy contract with Martin Marietta 
Energy Systems, Inc. 

Technical fioiH 



This invention relates to the field of computer 
disk security and more particularly concerns a multilevel 
system and device for preventing unauthorized access to 
such a computer disk. 



Background 



In establishments using proprietary or classified 
information, especially in the government and military 
environments, microcomputers equipped with nonremovable 
"hard- disks are approved for handling sensitive 
information only in secured areas because sensitive 
information could be stored intentionally or 
inadvertently on the nonremovable "hard" disks. As a 
result, the sensitive information could be obtained by 
unauthorized individuals. Also, information that is 
legitimately stored on these nonremovable "hard" disks 
needs protection from inadvertent erasure or alteration. 
The effort of maintaining computers in an environment 
free from such undesirable occurrences as these naturally 
hampers productivity. However, productivity could be 
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significantly increased if microcomputers central 
processor could be accessed while verif iably preventing 
unauthorized access to the information stored on the 
computer 1 s disk drives. Similar problems could also 
exist for computer users in private industry. 

The prior art made of record in the parent case is 
herein incorporated by reference. While some of the 
above referenced art addresses the problem of controlling 
access to the computer, the prior art relies on physical 
obstructions to the external openings to the drive bays 
or to keyed "on-off" switches. The art does not offer or 
suggest a system that simultaneously offers access to the 
processing capabilities of the computer while verif iably 
preventing access to the information stored in the 
protected disk drives. 

Accordingly, it is an object of this invention to 
provide a multilayered system incorporating hardware and 
software which verif iably prevents undesirable access to 
a computer 1 © hard disk memory while allowing an operator 
to use the computer f s central processor. 

It is another object of the present invention to 
provide a multilayered system incorporating hardware and 
software which also prevents undesirable access to a 
computer's floppy disk drive (s) if such protection is 
warranted. 

It is another object of this invention to provide 
a multilayered security system which maintains a status 
log of all protected disk checks and activities for 
purposes of routine security audit checks. 

It is another object of this invention to provide 
a multilayered security system which prevents "virus" 
contamination of protected drives. 

Other objects and advantages over the prior art 
will become apparent to those skilled in the art upon 
reading the detailed description together with the 
drawings a£; described as follows. 



WO 91/01065 



PCT/US90/03865 



3 

Disclosure of the Invention 

In accordance with various features of the present 
invention, a layered protection system for a computer 
disk is provided wherein both read and write access to 
the hard disk of a computer are controlled and can be 
prevented on multiple cooperating levels. The layered 
protection system for a computer disk includes a hardware 
layer, wherein certain of the electrical wires which 
connect the computer to the disk controller are 
physically interrupted with a switching device inserted 
therebetween to reestablish the electrical connections 
only under controlled conditions. 

Maintaining administrative control of the key for 
the security switch comprises another cooperating level 
of controlling the access to the hard disk memory. 
Within the multilevel protection program of the preferred 
embodiment of the present invention, four operating modes 
are established. The first such operating mode is a 
"NORMAL" mode, wherein an operator can both read from and 
write to the hard disk memory of a computer. The second 
is a "READ ONLY" mode, wherein an operator can read from 
the hard disk but cannot write to it. The third mode is 
for "WRITE ONLY" , wherein an operator can write data into 
the hard disk memory of a computer but cannot read from 
it. Finally, there is a "NEITHER" mode, wherein an 
operator can neither read from nor write to the hard disk 
memory, but can still utilize all the other functions of 
the affected computer. 

The layered protection system also includes a 
software layer that verifies that the hardware is both 
functioning and in use. This software "locks up" the 
system in the event of a failure on the part of the 
hardware. The software also initiates and maintains a 
status log for security audit purposes. Administrative 
controls require the computer to be started with a "boot" 
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disk which contains the software layer. The software 
functions as a "Terminate and stay Resident" (TSR) 
program. This allows the software to verify that the 
hardware is functioning and prevent unauthorized access 
to the hard disk while the operator is using the 
computer. When the computer user is finished working in 
a classified environment the software is again utilized 
to verify that the protected disks have not been written 
to and to update the security audit status log. 

Brief Description of the nrawi'n^ 

The above mentioned features of the invention will 
become more clearly understood from the following 
detailed description of the invention read together with 
the drawings in which: 

Figures ia, IB, and ic are pictorial views of the 
components of an access restricting system. 

Figure 2 is a pictorial diagram of a typical 
switching device constructed in accordance with various 
features of the present invention. 

Figure 3 is a general schematic diagram of the 
electrical system of the access restricting system 
pictured in Figure 1. 

^ Figure 4 is a detailed schematic diagram of the 
electrical System of the present invention. 

Figure 5 illustrates a flow diagram of the 
operational steps of the software layer of the invention 
during the start-up in which the software verifies that 
the hardware is functioning prior to allowing the user 
access to the computer. 

Figure 6 illustrates a flow diagram of operational 
steps of the software in TSR mode and the steps in the 
"QUIT" portion of the software that verifies that no 
unauthorized changes have been made to the protected 
disks during the period of the operator's use. 
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Best Mode For Carrying Out T h e Inventing 

A layered protection system for a computer disk is 
illustrated pictorially in Figures 1A, IB, and 1C. 
Figure 1A illustrates a key 34 and a lock means 28 that 
cooperate with a security switch 18 illustrated in Figure 
IB. These elements are shown as representing the 
"hardware" portion of the layered protection system for 
a computer disk. 

The mechanical components of the lock and switch 
means are well known in the art and are typical of the 
multiple-pole, multiple-throw locking electrical switch 
that can be obtained "off the shelve"." Of importance is 
the manner, described herein, that the locking electrical 
switch is interfaced with the computer. it will be 
recognized by those skilled in the art that the switch 
18, with its key 34 and lock 28, can also be installed 
directly within the computer 30 or within a housing for 
fixed disk drive. The choice of location will depend 
upon the particular installation play for the present 
invention, the important feature being to interrupt the 
communication between the hard disk and the computer. 

A perspective view of a typical embodiment of this 
hardware portion of the administrative control level is 
shown at 22 in Figure 2. This includes a housing 20 for 
the enclosure of the switch 18 (not shown in this 
figure) , this switch accepting the aforementioned key 34 
and lock 28. Illustrated are the various electrical 
cables 12, 14 that connect the switch with a disk drive 
controller and the disk drive itself. 

While a mechanical key and lock have been described 
and illustrated, it will of course be understood that an 
electronic or a digital security switch, which are well 
known in the art, will also provide a suitable means for 
preventing or allowing access. 

A general schematic diagram of the system of the 
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position, the hard disk memory can be both written to and 
read from so that the full and complete capabilities of 
the computer and its associated hard disk memory are 
available to the operator. When key 34 is inserted and 
switch 18 operated to the "READ ONLY" mode, the line 
labelled "WRITE DATA +" is open-circuited by contacts 1 
and 2, the line labelled "WRITE DATA is open-circuited 
by contacts 3 and 4 and the "WRITE GATE" line is open- 
circuited between contacts 7 and 9 of switch 18A, 
precluding any possibility of writing to (storing data 
on) the hard disk memory, in the "WRITE ONLY" position 
of the switch 18, the "READ GATE" lines are open- 
circuited by contacts 5 and 6 of section B of switch 18, 
as shown, so that no data stored on the hard disk memory 
can be read. m the "NEITHER" position of the switch, 
the three lines labeled "WRITE FAULT", "DRIVE SELECT 1"' 
and "DRIVE SELECT 2" are disabled by being electrically 
connected through contacts 7 and 8 of switch ISA to the 
"WRITE GATE" line through isolating diodes 38. 

It will be recognized by those skilled in the art 
that this is necessary to avoid the pick-up or generation 
of noise in the open leads. Simultaneously, the "WRITE 
GATE" line is again open-circuited between contacts 7 and 
9 of switch 18A as described above. 

Of course, it will also be apparent to those 
skilled in the art that, in another embodiment of the 
present invention, existing cables to a computer to be 
modified with the present invention can be replaced by 
wholly fabricated replacement cables with the switching 
device of the present invention manufactured in place as 
an integral part of such replacement cables. 
Further-ore, as has already been mentioned, security 
switch 18 or its equivalent can be mounted or attached in 
some location other than that exemplified, such as 
directly on the circuit board of the controller or disk 
drive, for instance. 
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. In the preferred embodiment, the software layer of 
the present invention is utilized to verify that the 
hardware is functioning to disable the disk controller. 
This layer verifies that a protected disk is indeed 
protected. 

The - flow diagrams depicted in Figs. 6 and 7 
illustrate the operation of the software system in the 
preferred Embodiment . 

While the flow diagrams can be easily read by those 
skilled in; the art, the system operation based on the 
rules depicted in the diagrams will be discussed. 
However, it will be noted that the flow diagrams depict 
preferred operational embodiments. The specific 

references are enclosed as examples only, and are not 
intended to limit the scope of the invention. 

Initially, the operator disengages the computer 
from any and all unclassified connections, e.g. a 
network, and the key 34 is removed from the switch 18 as 
indicated at 120 "configure for protective mode". The 
operator then inserts the boot disk which contains the 
software level of the security system and turns the 
computer oh. The "autoexec.bat" file contained on the 
boot disk activates the "protect" program. The "protect" 
program cah be initiated to protect all drives, all 
drives except a given drive, or any specifically 
designated drive (s) . For purposes of illustration the 
flow diagram designates drive "n" as any given drive. 

The prpgram then initiates the status log record at 
125. The audit record status is set at zero (0) at 126 
and the keyboard is locked at 127. While the audit 
record status can be designated as any given set of 
values, in the preferred, illustrated embodiment the 
values shown in Table 1 are used. 
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Eaiue Meaning 

0 Start-up not completed; Quit not run. 

1 Failure during start-up. 

2 start-up successfully run; Quit not run. 

I ™ ^ e /^ einpt to Protected drive during operation. 

4 Test failure during operation. 

5 Test failure during running Quit. 
9 Quit successfully run at session end; there were no 

anomalies. 

Table I 



The system then identifies the first protected 
drive and determines if that drive is indeed protected at 
130. m the event that the drive is not protected, this 
result is displayed at 135 and the audit record status is 
updated to one (l) . The operator is prompted to 
reconfigure for protected mode and instructed that the 
software will reboot the system in a preselected amount 
of time. in the illustrated preferred embodiment the 
system reboots in about fifteen (15) seconds. This 
causes the "Protect" program to be reactivated at 124. 
If drive "n« passes the initial test at 130, that result 
is displayed and the program repeats 130 for each 
protected drive. when the last protected drive passes 
the initial test at 130, the audit record status is 
updated to two (2) and the display notifies the user that 
the test of the protected drives is complete. The boot 
record, the File Allocation Table (FAT) and the checksums 
of each protected drive is copied to the boot disk at 
140. The protect program enters a "terminate and stay 
resident" (TSR) mode and the key board is unlocked at 
145. Those skilled in the art will recognize that the 
locking of the keyboard at 127 and the unlocking of the 
keyboard at 145 is an internal feature of the software 
and is not to be confused with the locking electrical 
switch described above. 

At this point the operator has complete use of the 
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processing capabilities of the computer. The TSR protect 
program continually monitors at 150 any attempt to write 
to a protected disk. When such an attempt is detected at 
155, the operator is prompted to reinsert the boot disk, 
the audit record status is updated to 3 . The operator is 
prompted to reconf igure for protected mode and instructed 
that the software will reboot the system in a preselected 
amount of time. In the illustrated preferred embodiment 
the system reboots in about fifteen (15) seconds. This 
reinitiates the "Protect" program at 124. 

When the user is finished operating in a classified 
environment the user must reinsert the boot disk and 
execute the "Quit" program. The "Quit" program compares 
the current boot record, the current FAT, and the current 
checksums with those saved on the boot disk. If the 
records are the same, the audit record status is updated 
to nine (9) . The system locks the keyboard and displays 
the test results at 164. In the preferred embodiment, 
the system displays: 

Checksum test complete. Sanitize the 
system; be sure to power down and remove all 
classified materials. 
At this time the system must be powered down. 

If the current records are different than the 
records saved on the boot disk, the audit record status 
is updated to five (5). The keyboard is locked and the 
systeni notifies the user of the failure. in the 
preferred .embodiment, the system displays: 

FAILURE: Drive w n" failed the checksum 
[boot, or FAT] test. CONTACT YOUR DIVISION 
COMPUTER SECURITY OFFICER (CSO) IMMEDIATELY. 
At this time the system must be powered down. 

From the foregoing description, it will be 
recognized by those skilled in the art that a layered 
protection system for a computer disk offering advantages 
over the prior art has been provided. Specifically, the 
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layered protection system for a computer disk provides a 
multilayered system incorporating hardware and software 
which verifiably prevents undesirable access to a 
computer's hard disk, and if warranted the system further 
prevents undesirable access to a computer's floppy disk 
drive(s), while allowing an operator to use the 
computer's central processor. The system maintains a 
status log of all protected disk checks and activities 
for purposes of routine security audit checks, it will 
be obvious to those skilled in the art that while in the 
protected mode the system also prevents "virus" 
contamination of protected drives. 

While a preferred embodiment has been shown and 
described, it will be understood that it is not intended 
to limit the disclosure, but rather it is intended to 
cover all modifications and alternate methods falling 
within the spirit and the scope of the invention as 
defined in the appended claims. 
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Having thus described the aforementioned invention, 
We claim: 

1. A layered protection system for controlling 
access to a hard disk memory system from a disk drive 
controller of a computer system , which comprises: 

a switch means connected between said disk drive 
controller and said disk memory system, said switch means 
having contact means connected to selected electrical 
circuits joining said disk drive controller to said disk 
memory system, and having means for selectively accessing 
selected of said contact means; 

lock means associated with said switch means to 
selectively inhibit access to a protected disk drive's 
operation via said switch means; and 

means for selectively operating said lock means 
for administrative control of accessing said disk memory 
system from said disk drive controller. 

2. The layered protection system of Claim 1 
wherein said switch means and said lock means associated 
with said switch means are mounted in a housing separate 
from said disk drive controller and said hard disk memory 
system. ' 

3. The layered protection system of Claim 1 
wherein said switch means and said lock means associated 
with said switch means are mounted on the same printed 
circuit board as other electronic components of said disk 
drive controller. 

4. The layered protection system of Claim 1 
wherein said switch means and said lock means associated 
with said switch means are mounted in a housing 
containing said hard disk memory system. 
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5. The layered protection system of Claim 1 
wherein said switch means is a rotary switch member 
having a plurality of selected rotary positions whereby 
said means for accessing said contacts is a rotary shaft 
carrying moving contacts whereby, at a given rotary 
position, a selected number of said rotary contacts 
interact with a selected number of said contact means for 
selectively connecting selective of said electrical 
circuits joining said hard disk memory system and said 
disk drive controller, 

6. The layered protection system of Claim 5 
wherein said plurality of rotary positions provides for 
at least operation in an unprotected mode wherein a disk 
in said protected disk drive may be read from and written 
to; operation in a mode allowing a disk in said protected 
disk drive to be read from but not written to; operation 
in a mode allowing a disk in said protected disk drive to 
be written to but not read from and operation in a mode 
wherein a disk in said disk drive can neither be read 
from nor written to. 

7. A layered protection system for controlling 
access to a computer's disk memory system from a disk 
drive controller of a computer system, which comprises: 

a switch means connected between said disk drive 
controller and said disk memory system, said switch means 
having contact means connected to selected electrical 
circuits joining said disk drive controller to said disk 
memory system, and having means for selectively accessing 
selected of said contact means; 

lock means associated with said switch means to 
selectively inhibit access to a protected disk drive 1 s 
operation via said switch means; 
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means for selectively operating said lock means for 
administrative control of accessing said disk memory 
system from said disk drive controller; 

hardware verification means whereby said switch 
means is tested to insure that said switch means is 
selectively operated to disallow access to said protected 
disk drive .and is operable; 

protected disk drive selection means for 
selectively controlling which said disk drive is to be 
protected; and 

protected disk drive identification means for 
determining which of said computer's said disks are 
protected. 

8. The layered protection system of Claim 7 
wherein said layered system further comprises: 

status audit means whereby security status of said 
protected disks is recorded for security audit purposes. 

9. The layered protection system of Claim 7 
wherein said layered system further comprises: 

access inhibiting means whereby unauthorized 
attempts to access said protected disk drive are 
obstructed. 

10. The layered protection system of Claim 7 
wherein said layered system further comprises: 

non-access verification means whereby said layered 
protection system can verify that no access to said 
protected disk drives has been allowed. 

11. A layered protection system for controlling 
access to a computer's disk memory system from a disk 
drive controller of a computer system, which comprises: 

a switch means connected between said disk drive 
controller and said disk memory system, said switch means 
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having contact means connected to selected electrical 
circuits joining said disk drive controller to said disk 
memory system, and having means for selectively accessing 
selected of said contact means; 

lock means associated with said switch means to 
selectively inhibit access to a protected disk drive's 
operation via said switch means; 

means for selectively operating said lock means for 
administrative control of accessing said disk memory 
system from said disk drive controller; 

hardware verification means whereby said switch 
means is tested to insure that said switch means is 
selectively operated to disallow access to said protected 
disk drive and is operable; 

protected disk drive selection means for 
selectively controlling which said disk drive is to be 
protected; 

protected disk drive identification means for 
determining which of said computer's said disk drives are 
protected; 

status audit means whereby security status of said 
protected disk drives is recorded for security audit 
purposes; 

access inhibiting means whereby unauthorized 
attempts to access said protected disk drive are 
obstructed; and 

non-access verification means whereby said layered 
protection system can verify that no access to said 
protected disk drives has been allowed. 
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